[withdrawn] fs-pipec-implement-minimum-pipe-size-for-arg==0.patch removed from -mm tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The patch titled
     Subject: fs/pipe.c: implement minimum pipe size for arg==0
has been removed from the -mm tree.  Its filename was
     fs-pipec-implement-minimum-pipe-size-for-arg==0.patch

This patch was dropped because it was withdrawn

------------------------------------------------------
From: Randy Dunlap <rdunlap@xxxxxxxxxxxxx>
Subject: fs/pipe.c: implement minimum pipe size for arg==0

Shankara reports that running Syskaller with UBSAN causes this message:
  UBSAN: Undefined behaviour in ./include/linux/log2.h:57:13

Syzkaller is trying to set the pipe size to 0UL. The call chain is:
	pipe_set_size(pipe, 0UL)
	...
	size = round_pipe_size(arg); // arg == 0UL
which does
	nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; // = 0UL
	return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
which is undefined when the argument is 0... and which calls
	fls_long(-1) // == 64
and then returns 1UL << 64. This is where UBSAN kicks in.

The fcntl() man page [http://man7.org/linux/man-pages/man2/fcntl.2.html]
says that:
	Attempts to set the pipe capacity below the page size are
	silently rounded up to the page size.

We could try to fix the basic low-level functions to handle 0 (where
<linux/log2.h> says the result is undefined when n == 0), but the safest
path for now is probably just to patch fs/pipe.c to make the documented
default happen when arg is 0.

Link: http://lkml.kernel.org/r/b1c6b6fa-1917-da84-f1f4-0fafd6cac732@xxxxxxxxxxxxx
Signed-off-by: Randy Dunlap <rdunlap@xxxxxxxxxxxxx>
Reported-by: Shankara Pailoor <sp3485@xxxxxxxxxxxx>
Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Michael Kerrisk <mtk.manpages@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 fs/pipe.c |    2 ++
 1 file changed, 2 insertions(+)

diff -puN fs/pipe.c~fs-pipec-implement-minimum-pipe-size-for-arg==0 fs/pipe.c
--- a/fs/pipe.c~fs-pipec-implement-minimum-pipe-size-for-arg==0
+++ a/fs/pipe.c
@@ -1038,6 +1038,8 @@ static long pipe_set_size(struct pipe_in
 	unsigned long user_bufs;
 	long ret = 0;
 
+	if (!arg)
+		arg = PAGE_SIZE;
 	size = round_pipe_size(arg);
 	nr_pages = size >> PAGE_SHIFT;
 
_

Patches currently in -mm which might be from rdunlap@xxxxxxxxxxxxx are


--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel Archive]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]

  Powered by Linux